The OpenNMS Group AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

The OpenNMS Group AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

C-Information leaked appears non-critical/sensitive

PR-No privileges needed

OR
     *cpe:2.3:a:opennms:horizon:31.0.8:*:*:*:*:*:*:*
     *cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:* versions from (including) 32.0.0 up to (excluding) 32.0.2

OR
     *cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:* versions from (including) 2020.0.0 up to (excluding) 2020.1.38
     *cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:* versions from (including) 2021.0.0 up to (excluding) 2021.1.30
     *cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:* versions from (including) 2022.1.0 up to (excluding) 2022.1.9
     *cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:* versions from (including) 2023.0.0 up to (excluding) 2023.1.6

NIST AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

NIST CWE-611

https://docs.opennms.com/horizon/32/releasenotes/changelog.html No Types Assigned

https://docs.opennms.com/horizon/32/releasenotes/changelog.html Release Notes

https://github.com/OpenNMS/opennms/pull/6355 No Types Assigned

https://github.com/OpenNMS/opennms/pull/6355 Patch

The OpenNMS Group AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

The OpenNMS Group AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an o

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an o

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an o

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an o